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We are all familiar with control of 
sensitive information 

= In our personal lives 

= In our workplaces 
Control regimes vary—from 
“common sense’ to legal controls 
Effective management of 
information is highly dependent on 
individual action 

= Knowledge of rules and policy 

= Accurate understanding and 

appreciation of risk 

Management of sensitive national 
security information relies on the 
same principles 


Classified Information ‘co; — 


= \nformation can be classified under Statute or Executive Order 


» The Atomic Energy Act governs Restricted Data and Formerly Restricted 
Data 


= EO 13526 governs National Security Information 
= Levels of Classification are ’risk based” 


=" Confidential: “undue damage to national security” 
= Secret: “serious damage” 
= Top secret: “exceptionally grave damage” 
» Management policies are tied to classification category and level 


Controlled Unclassified Information (CUI) cin 
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“All unclassified information for which, 
pursuant to statute, regulation, or 
agency policy, there is a compelling 
requirement for safeguarding and/or 
dissemination controls” 


= Subject to EO 13556 


= Over one hundred categories are 
in use across government 


= Attempts to regularize categories, 
policy, access restrictions are 
ongoing, but having limited 
success 


« Control is much less formal, in 
most cases 


= Management relies on policy, 
training and adherence to “need to 
Report and Recommendations know” 


of the Presidential Task Force on 
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‘Tuesday, November 9, 2010 


Title 3— Executive Order 13556 of November 4, 2010 


Controlled Unclassified Information 


The President 


By the authority vested in me as President by the Constitution and th 
laws of the United States of Amorica, it is hereby orderod as follows 


Section 1. Purpose. This order establishes an open and uniform program 
for managing information that requires safeguarding or dissemination controls 
pursuant to and consistent with law, regulations, and Government-wide 
policios, excluding information that ts classified under Executive Order 13526 
of December 29, 2009, or the Atomic Energy Act, as amonded. 


At present, executive departments and agencies (agencies) employ ad hoc, 
agency-spocific policies, procedures, and markings to safeguard and control 
this information, such as information that involves privacy, security, Pay 
tary business interests, and law onforcement investigations. This inofficiont, 
confusing patchwork has resulted in inconsistent marking and safoguarding 
of documents, lod to unclear or unnocessarily restrictive dissemination polt- 
cies, and created impediments to authorized information sharing. Tho fact 
that these agoncy-specific policies are often hidden from public view has 
only aggravated these issues. 


To address these probloms, this order establishes a program for managing 
this information, horoinafter described as Controlled Unclassified Informa- 
tion, that emphasizes the openness and uniformity of Government-wido 
practice. 


Soc, 2. Controlled Unclassified Information (CUI). 

{a) The CUI catogorios and subcatogories shall serve as oxclusive dosigna- 
tions for identifying unclassified information throughout the executive branch 
that requires safoguarding or dissemination controls, pursuant to and con- 
sistont with applicable law, regulations, and Government-wide policies. 


(b) The moro fact that information ts designated as CUI shall not have 
a bearing on determinations pursuant to any law requiring the disclosure 
of Information or permitting disclosure as a matter of discretion, including 
disclosures to the legislative or judicial branches. 


(c) The National Archives and Records Administration shall servo as tho 
Executive Agent to implement this order and oversoo agency actions to 
ensuro compliance with this ordor. 

Sec. 3. Review of Current Designations. 

{a) Each agency head shall, within 180 days of the date of this order: 
(1) review all categories, subcategories, and markings used by the agency 
to designato unclassified information for safeguarding or dissemination 
controls; and 
(2) submit to the Executive Agent a catalogue of proposed categories 
and subcategories of CUI, and proposed associated markings for information 
designated as CUI under section 2{a) of this order. This submission shall 
provide definitions for each proposed catogory and subcatogory and idon- 
tify the basis in law, rogulation, or Government-wide policy for safo- 
guarding or dissemination controls. 

(b) If there is significant doubt about whether information should be 
designated as CUI, it shall not be so designated. 

Sec. 4. Development of CUI Categories and Policies. 
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U.S. DEPARTMENT OF ENERGY 
Office of Classification 


and Information Control 
Washington, DC 20585 


For demonstration 
purposes only, no OUO 
information revealed 


Original Classifiers-a few government 
officials 
Derivative classifiers—many trained 
individuals 

= Decisions are based on Classification 

Guides 

Guides are drafted by committees. 

= Some are very information specific 

= Others are broader and “risk informed” 
Approaches for designation CUI are 
more heterogeneous and less formal 


= CUI frequently governs the “type” of 
information rather than specific 
information 


Review of documents is a critical procedure 
to ensure proper classification: 


to ensure neither underclassification nor 
overclassification occur. 
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This is a Cover Sheet 


WARNING: This record contains Sensitive 
Security Information that is controlled under 
49 CFR Parts 15 and 1520. No part of this 
record may be disclosed to persons without a 
“need to know,” as defined in 49 CFR Parts 15 
and 1520, except with the written permission of 
the Administrator of the Transportation 
Security Administration or the Sec — 


Sensitive Security In 


For demonstration 
purposes only, no CUI 
| information revealed 


Policies governing proper 
identification and control are in 
place 

= Review at stages 
Sensitive information should be 
clearly marked 
Sensitive information is stored, 
handled, and transmitted in 
specified ways 
Access Is limited to authorized 
individuals with need to know 
(NTK) 

= Can include clearances, job 

function, other criteria 

Procedures exist to identify 
mistakes or accidents 

= Mitigate consequences 

= Inform process improvements 


Need to Know (NTK) Ho. 


The NTK principle is extremely important in managing access to both 
classified and CUI 


= Credentials (clearances or other qualifications) can make a person 
eligible to access certain information, but such credentials to not 
establish a right to access information 
= NTK management can be very formal 
= With training, formal briefing into (and out of) NTK groups 
= In other cases, NTK determination is based on the assessment of 
individuals who hold information 


= Strong cultural reinforcement enables individuals to deny access to information for 
which they have no NTK 
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= Training is critical 


At Sandia, training begins (for everyone) 
upon employment and continues at regular 
intervals (at least annually) 

Failure to complete training can (and does) 
result in automatic loss of access to the 
workplace 


= Awareness 


Postings, placards, signage throughout the 
workplace reinforce awareness of sensitive 
information, risks associated with 
mishandling it, and individual responsibility 
Information about adversary attempts to 
access sensitive information (across 
government) is regularly shared (as 
appropriate) 

Briefings to provide insights into threats to 
sensitive information can heighten 
awareness of risk 


= Derivative classifiers, management, 
and information control specialists 
answer questions and provide both 
guidance and support 


Risk Assessment 
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R&D in biology offer enormous benefits 
to public health and economic prosperity 
= These benefits are widely understood 
and discussed 
Such work also carries credible risks 
= Risks arise from possible adversary 
action 
= and from potential accidents 
» While potential risks are discussed, 
detailed information about them is 
typically not so available 
In a national security environment, risk 
information is more widely available 
= Such information is very important in 
risk/benefit analyses 


Control of Sensitive Information Relies on Structure 
and Culture 


= Rules, policies and procedures 
= Guidance 
= Risk informed approaches can be important 
» Training 
=» Review of projects, information 
= Atall stages 
= Support 
= Culture 
= Responsibility 
» Awareness 
« Informed understanding of risk 


= To information 
= To public health 
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